tag:blogger.com,1999:blog-2693747771068034275.post7482951584067192238..comments2019-01-31T03:29:35.463-06:00Comments on IT in the Frozen Tundra: Securing RD Gateway with Web Application Proxy - Part 2Tom Murphynoreply@blogger.comBlogger53125tag:blogger.com,1999:blog-2693747771068034275.post-63922394335066404652018-12-17T01:01:50.490-06:002018-12-17T01:01:50.490-06:00Thanks for sharing these info with us! this is a g...Thanks for sharing these info with us! this is a great site. I really like it. <a href="https://www.croxyproxy.com" rel="nofollow">online proxy</a>BrendaPalmerihttps://www.blogger.com/profile/00413601920483928620noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-5105137868344949502018-07-08T13:32:15.444-05:002018-07-08T13:32:15.444-05:00Hi Colin,
No we never managed to get this working...Hi Colin,<br /><br />No we never managed to get this working. At the end we&#39;ve chosen for a VPN based solution as an alternative.<br /><br />ThomasThomashttps://www.blogger.com/profile/10518106786873838291noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-91668455749590754812018-07-06T16:35:52.416-05:002018-07-06T16:35:52.416-05:00Hi Tom
Have you had any luck getting a non-domain...Hi Tom<br /><br />Have you had any luck getting a non-domain joined WAP to function properly with RDG’s?<br /><br />-Colincolin weinerhttps://www.blogger.com/profile/14622909864420626823noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-88794664355373748112018-02-27T11:10:57.697-06:002018-02-27T11:10:57.697-06:00Hi Thomas, theoretically it should be possible, an...Hi Thomas, theoretically it should be possible, and yes, having the WAP server in a perimeter network as either non-domain joined or joined to a perimeter domain network is certainly best practice, I was not able to get it working at the time.Tom Murphyhttps://www.blogger.com/profile/17674111757513001655noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-70215201515459902082018-02-20T03:35:21.760-06:002018-02-20T03:35:21.760-06:00Good day, is it possible to have the WAP server in...Good day, is it possible to have the WAP server in another domain than the ADFS server? The environment has a seperate domain for all DMZ infrastructure. So WAP in DMZ domain and all other components in in internal domain. We are facing the problem that credentials are not passing correctly from ADFS to RDWeb page. In IE credentials are passed from ADFS to RDWeb, but you don&#39;t get to the actual app page. You reach the RDWeb page were credentials are filled, but you still need to click sign in. In Chrome no credentials are passed at all and you need to re-enter them. Hope I am clear enough... Anyone experience with this issue?Thomashttps://www.blogger.com/profile/10518106786873838291noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-35597691202301651432018-02-20T03:34:37.470-06:002018-02-20T03:34:37.470-06:00This comment has been removed by the author.Thomashttps://www.blogger.com/profile/10518106786873838291noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-31831254437575478652017-11-25T09:24:33.569-06:002017-11-25T09:24:33.569-06:00Intermediaries regularly have a fairly short lifet... Intermediaries regularly have a fairly short lifetime, commonly 12 hours.<a href="https://www.how-to-hide-ip.net/browse-mexican-ip-address/" rel="nofollow">mexican vpn</a><br />S Jadenhttps://www.blogger.com/profile/10434750061328639664noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-77592287412835633692017-08-15T02:21:09.857-05:002017-08-15T02:21:09.857-05:00Hi,
Is there anyone here who has overcome the cre...Hi,<br /><br />Is there anyone here who has overcome the credentials popup when launching a remote app or a remote desktop on the RDWeb page?<br />I also have SSO to RDWeb through ADFS without the use of WAP.<br /><br />ArnaudNaudskihttps://www.blogger.com/profile/11699694777042265341noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-30055115240339101562017-07-05T14:16:42.843-05:002017-07-05T14:16:42.843-05:00I do not believe this configuration will support i...I do not believe this configuration will support iOS devices. WAP sends the token to RD Gateway via an ActiveX control, which isn&#39;t going to work w/ iOS.Tom Murphyhttps://www.blogger.com/profile/17674111757513001655noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-88328933598133554422017-07-03T04:16:51.829-05:002017-07-03T04:16:51.829-05:00Did anyone manage to get this working when the Gat...Did anyone manage to get this working when the Gateway servers are load balanced? I have built a lab in Azure with an Azure internal Load balancer for the gateway. Seems hit and miss the loginsBlackforcehttps://www.blogger.com/profile/02725766919265685967noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-62392651842778399502017-06-30T10:36:43.255-05:002017-06-30T10:36:43.255-05:00Hi,
Thanks for this guide it&#39;s brilliant. Qu...Hi, <br /><br />Thanks for this guide it&#39;s brilliant. Question though I have users that use the rd client for iPad and iPhone and when I setup are rd remote app with adfs the client stops working. Do you know if the client supports this? Or is there extra config needed.<br /><br />Markmark fullerhttps://www.blogger.com/profile/02489945911603493065noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-90849286490741116572017-05-11T06:58:30.896-05:002017-05-11T06:58:30.896-05:00Hi, yes we have. Since we need high available rdwe...Hi, yes we have. Since we need high available rdweb we setup non-claims trust, and we also tried to make the rdweb application pool run as a user and put the SPN on the user. But havent got it working.. Seems no one has done it with nonclaims and loadbalancing rdweb...Unknownhttps://www.blogger.com/profile/11216089279699480098noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-59967347580886598552017-02-14T16:14:56.599-06:002017-02-14T16:14:56.599-06:00Does anyone knows if there were any improvements i...Does anyone knows if there were any improvements in RDS 2016 and WAP?carreterockhttps://www.blogger.com/profile/01182303259670612082noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-78182126192716947522017-02-02T19:26:04.278-06:002017-02-02T19:26:04.278-06:00No I don&#39;t believe I tried this configurationNo I don&#39;t believe I tried this configurationTom Murphyhttps://www.blogger.com/profile/17674111757513001655noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-9695279087756167232017-02-02T04:00:05.586-06:002017-02-02T04:00:05.586-06:00Hello,
I don&#39;t like the setup where you will ...Hello,<br /><br />I don&#39;t like the setup where you will authenticate ADFS, then WEB and then RDP GW. I create non-claim aware party trust, set KCD to SPN for the server hosting RDWEB and Gateway, reconfigure IIS from form authentication to windows integrated auth.<br /><br />Result: <br />WAP -&gt; adfs -&gt; SSO to RDWEB: working great. THen you need to enter credentials when running rdp file.<br /><br />In my setup I am using everything HA. I reconfigure RDWEB to be running under service account (IIS app pool - instead of AppPoolIdentity, set permissions for the service account, policy for the account [logon as batch, ...]). Of course - update SPN to the service accoutn.<br /><br />problem: <br />- internal NW: all working fine<br />- external NW: error 401<br /><br />2nd try:<br />update with service account as well RPC / RPC with cert<br />- internal NW: all working fine<br />- external NW: too many redirects<br /><br />on the WAP server are just some unclear errors in Event log. <br /><br />Did you or someone try to setup RDWEB / GW under service account behind WAP?maTTkohttps://www.blogger.com/profile/06690718912267270692noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-24722418772725762612017-01-17T21:30:13.780-06:002017-01-17T21:30:13.780-06:00My implementation had clipboard redirection explic...My implementation had clipboard redirection explicitly disabled for security reasons, so I&#39;m unable to comment.Tom Murphyhttps://www.blogger.com/profile/17674111757513001655noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-42382148244734721102017-01-17T02:55:05.470-06:002017-01-17T02:55:05.470-06:00Hi Tom,
Followed your guide, got everything worki...Hi Tom,<br /><br />Followed your guide, got everything working sweet... except: the clipboard redirection ONLY works when the client is able to &#39;Bypass RD Gateway for local address&#39;. <br /><br />The only deviation from your guide is that my WAPs are in a DMZ AD forest and my ADFS and RD* servers in an internal AD forest. There is a one way trust between the forests.<br /><br />You mentioned that you could only get things working properly when all the servers are in the same AD domain. Was one of the things that failed to work correctly the clipboard redirection? <br /><br />I can&#39;t for the life of me find any relevant info on the internet.<br /><br />TrautieUnknownhttps://www.blogger.com/profile/13943379673089905124noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-45929745010722273302016-10-11T09:32:41.173-05:002016-10-11T09:32:41.173-05:00Hi Tom,
Great Article much appreciated, I have tr...Hi Tom, <br />Great Article much appreciated, I have tried this a couple of times now and just cant get this working. Could I ask for some of your experience.<br /><br />Internally the RDS works fine.<br />Externally the WAP server constantly attempts to service the RDS session.<br /><br />To explain further.. <br /> - I browse to https://rdp.service.com<br /> - I get PreAuth&#39;d by the ADFS portal<br /> - I login to RDWeb<br /> - Select my App, the popup is showing the SSL certificate is the 3rdParty SAN cert in my RDS server<br /> - I then get another RDP popup showing the selfsigned certificate of my WAP server.<br /><br />If you have any suggestions I would be very greatful, as I&#39;ve been banging my head against this for a week!<br /><br />Many Thanks<br />Eric Hoyhttps://www.blogger.com/profile/17988262522599177901noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-36756848235824211072016-09-14T16:56:47.125-05:002016-09-14T16:56:47.125-05:00I have followed this guide step by step but am sti...I have followed this guide step by step but am still encountering an issue. I can pre-auth to rdweb then login to rdweb and launch an application but the application says failed login in every time and i cant get passed it. i dont think it is passing the cookie correctly to the gateway for auth. No matter what creds i enter they are never accepted. Any ideas?Unknownhttps://www.blogger.com/profile/17191323130280227560noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-27212245105414826612016-09-01T14:42:15.306-05:002016-09-01T14:42:15.306-05:00Saw the other comment, disregard this. Saw the other comment, disregard this. Markhttps://www.blogger.com/profile/14481116735529518734noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-3673482054532591682016-09-01T14:37:56.553-05:002016-09-01T14:37:56.553-05:00I&#39;m confused, should this work in Chrome/Firef...I&#39;m confused, should this work in Chrome/Firefox/etc? Because in those browsers it just downloads a .rdp file. And i&#39;m not sure how opening that would &quot;retrieve the ADFS edge token from the browser&quot;. Markhttps://www.blogger.com/profile/14481116735529518734noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-37936972549286380742016-08-23T20:08:46.251-05:002016-08-23T20:08:46.251-05:00Thank you very much for this great post.
Just addi...Thank you very much for this great post.<br />Just adding that it works very well too if you select &quot;Pass-through&quot; under &quot;Specify the preauthentication method&quot; TAB. This way ADFS login page can be skipped and you can directly access RD Web login page. <br /><br />Only backdoor that I see is it allows direct connections to back-end resources when specifying GW settings in MSTSC but that can also be managed by limiting &quot;RD Gateway-managed group members&quot; in Resource Authorization Policies to RDSCB and RDSH servers for which access can be further controlled by applying server level restrictions.<br /><br />Cheers,Farrukh Khanzadahttps://www.blogger.com/profile/00638644723170112982noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-47796645575718806512016-06-03T10:08:47.327-05:002016-06-03T10:08:47.327-05:00Thank you very much Tom. I will continue my config...Thank you very much Tom. I will continue my configuration. Your post is awesome.Peterhttps://www.blogger.com/profile/17680916047061775891noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-58414104679461172732016-06-01T20:47:24.718-05:002016-06-01T20:47:24.718-05:00Hi Peter. I&#39;m not having issues getting to the...Hi Peter. I&#39;m not having issues getting to the KB article for 2982037. It appears Microsoft has included that hotfix with the 2975719 hotfix rollup - https://support.microsoft.com/en-us/kb/2975719Tom Murphyhttps://www.blogger.com/profile/17674111757513001655noreply@blogger.comtag:blogger.com,1999:blog-2693747771068034275.post-84801171134042689162016-05-31T17:15:16.585-05:002016-05-31T17:15:16.585-05:00Hi Tom,
I was wondering about the Hotfix KB2982037...Hi Tom,<br />I was wondering about the Hotfix KB2982037. This site is not available anymore. Is it still required or is this fix included in never updates?Peterhttps://www.blogger.com/profile/17680916047061775891noreply@blogger.com